Intermediaries can’t track users all the time, govt clarifies in IT Rules

Intermediaries will not be allowed to track users all the time under the guise of enforcing the first originator rules, the government clarified on Monday, and reiterated that traceability norms laid down in the Indian IT Rules 2021 do not compromise end-to-end encryption.

The Ministry of Electronics and Information Technology (MeitY) issued these clarifications as part of a 28-page frequently asked questions (FAQ) document, relating to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, or IT Rules. 

The document comprising five sections also contains clarifications on terminology, due diligence to be followed by intermediaries and significant social media intermediaries (SSMIs), and the grounds of non-compliance to the rules.

According to the document, the definition of intermediaries will remain as defined in the country’s IT Act, 2000, which includes everything from telecom service providers to search engines, online payment websites and even cyber cafes. The document adds that many other online platforms “may qualify as intermediaries with respect to the third-party content made available, shared, hosted, stored or transmitted on their platforms including websites and mobile Apps”.

“Some entities may be functioning both like an intermediary as well as a ‘news aggregator’ or ‘publisher of news and current affairs content’ as defined in rule 2(o) and rule 2(t). Further clarification with respect to rule 5, and Part III of the Rules relating to news and current affairs content may be sought from the Ministry of Information & Broadcasting (MIB),” according to the document.

“The whole document is focusing on the user perspective, which is very good,” said N.S. Nappinai, Supreme Court lawyer and a cyberlaw expert. For instance, the clarification issues with respect to tracking the first originator of a message or post could be good for users. 

“The clarification given for the first originator rules shows that you don’t really need that rule at all. It was already part of the law,” Nappinai said, adding, “The clarifications set out very clearly that only as and when directions under Section 69 of the IT Act are given, can they trace the user, which allays surveillance fears.” 

She added, though, that these clarifications may not suffice. For instance, Nappinai believes the FAQs could have categorically defined the categories of Intermediaries which are required to appoint grievance officers. She added that the document should have included examples of websites, or perhaps categories of apps and websites that will need to appoint these officers, as that would have further helped users to seek redress. 

“The clarifications interestingly talk about stakeholder consultations without specifying where there was a consultation for the specific rules. It also selectively arbitrates the ratio decedendi ( a legal term for ‘the reason’) of those judgements of the Supreme Court that support its promulgation, but ignores the key principles surrounding the grant of safe harbour protections to intermediaries,” said Akash Karmakar, a partner at the Law Offices of Panag & Babu, said.

The government has also reiterated its stance that the traceability norms laid down in the new rules do not break end-to-end encryption--a technology used to make text messages, calls and other communications indecipherable to anyone other than its sender and receiver. Messaging major WhatsApp has sued the government on this rule, and argued that it cannot find the first originator of a message without breaking encryption.

“We appreciate the government's efforts in bringing more clarity on the 2021 IT Rules. We look forward to studying the FAQs,” a spokesperson from Meta, formerly called Facebook, said.